MedusaLocker Ransomware - What is it?

The only way to be successful is to have unique skills. This rule is also actual in the world of cybercrimes. MedusaLocker shows impressive tricks that allow it to keep going despite all changes in ransomware meta.

You may be interested in taking a look at our other antivirus tools:
Trojan Killer, Trojan Scanner and Online Virus Scanner.

About MedusaLocker Ransomware - What is it? Keep Your Privacy Well

MedusaLocker Ransomware

April 19, 2023

MedusaLocker ransomware appeared in September, 2019, and took a very rapid start with attacks on companies from all over the world. During the pandemics, it got the ill fame of a ransomware group that aims on hospitals and other organizations of the healthcare industry.

At the first sight, MedusaLocker ransomware does not look like something new compared to other ransomware groups. It has a pretty similar behaviour, uses the same distribution channels, and makes almost the same steps after being injected into the corporate network. However, if you check it more closely, you will see that MedusaLocker has a lot of tricks which are contrasting with other ransomware families.

The distribution methods are pretty typical for the majority of corporate-oriented ransomware - email spamming and exploit usage. First one is used the most often, since it has the biggest chance of success. Further steps, however, are contrasting to ones used by other malware. MedusaLocker uses PowerShell vulnerabilities to launch its malicious code, but not in a straight way. With the batch file it contains inside of its payload, this ransomware creates a separate Windows service, and adds certain registry keys to allow running this service in the Safe mode.

After the successful execution of the trick with a batch file and service, MedusaLocker reboots the PC into the safe mode, before taking any data ciphering actions. This step allows the virus to prevent the anti-malware software detection before the ciphering starts. When this action is completed, MedusaLocker goes to the ciphering.

In the case when the user account MedusaLocker ransomware has infected does not have the administrator rights, the virus exploits another security breach - privileges escalation. This trick is done by the additional malware inside of the MedusaLocker virus - TrickBot trojan. This action allows the ransomware to use the administrator permissions and avoid the UAC even on the accounts that are not granted with administrator privileges.

MedusaLocker uses mixed encryption - AES-256+RSA-2048. There is no need to use such a hard cipher, so it is rather a scary factor that forces some users to pay. Just like any other ransomware family, it keeps the decryption keys on the remote server, so there is no way to get it without the payment. However, the target of encryption is quite new - MedusaLocker attempts to cipher all available shared directories, so even the computers that were not under attack can get their files encrypted. The additional extensions this ransomware family adds after the encryption are .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

Technical details

Note.hta file with a random name. Contains the information about the fact that your corporate network was attacked. Has a notice that using the third-party software may damage your files. There is also a ransom escalation note in case you don’t pay the initial sum during the first 72 hours after the attack.
File pattern%filename% . %original_extension% . %ransomware_extension%
FeaturesUses PowerShell vulnerabilities to make itself more sustainable
DamageDeletes backups created with Windows functionality, Volume Shadow Copies, suspends Microsoft Defender
DistributionEmail spamming, various vulnerabilities exploiting

Ransom note of MedusaLocker is next:

medusalocker note

Similar to different other ransomware families, MedusaLocker disables all Windows-based recovery options. Backups created with Windows embedded functionality, Volume Shadow Copies and Windows Updates are deleted. Updates are dangerous for this virus, because each major update can turn the Microsoft Defender back, as well as delete the registry entries this malware uses to provide itself the persistent activity.

Fake claims

Some of the corporations who were attacked by MedusaLocker reported that they were charged with an additional ransom, “to keep their corporate data from leaking”. However, despite the fact that those companies refused to pay the additional sum for their data, no leaks were discovered in visible channels. There is no guarantee that fraudsters did not sell this information through the offline channels, but, again - the companies had no impact on their business or other activities.